Category Archives: Uncategorized

Hybrid SharePoint 2013/2016

Step-by-step script of my recent Hybrid SharePoint 2016 – Office 365 implementation:


Office 365 Prerequisites

  • set and configure custom domain name
  • synchronize users (e.g. like this)
  • provide Office 365 licenses for hybrid users
  • (for hybrid search or Sharepoint 2016 DLP) provide license for farm account

On-Premises AD prerequisites

  • AD group “HybridUsers” for hybrid users

On-premises SharePoint Prerequisites

  • managed metadata service application
  • user profiles service application
    • user profiles are synchronized (incl. User Principal Name and Work email)
    • MySites
    • Audience for HybridUsers AD group
  • app management service application
  • subscription settings service application
  • secure store service application
  • SP1 + September 2015 CU

On-Premises AD prerequisites

  • AD group “HybridUsers” for hybrid users


  • certificate to replace the default SharePoint STS certificate
    • no special requirements for subject
    • self-signed (lab/test)
    • public authority (production)

If you plan for inbound search of hybrid BCS – there are some more requirements



Create S2S trust, i.e. trust relationship between on-premises SharePoint and Office 365.

  • replace default STS certificate
  • upload certificate to Office 365
  • add SPN to Azure AD
  • register SPO application principal
  • set authentication realm (align this with high-trusted app environment)
  • configure on-prem proxy for Azure AD



Hybrid Sites and Hybrid OnDrive for Business

  1. goto Office 365 admin center -> SharePoint admin
  2. copy mysites site collection name (
  3. goto on-prem SharePoint CA -> Office 365 -> Configure hybrid OneDrive…
    • enter “My Site URL” from “2” Office 365 mysites site collection name
    • (optional) enter specific audience – “hybrid users”
    • select hybrid features – “OneDrive only” or “OneDrive and Sites”

Hybrid Sites Hybrid OnDrive for Business warnings:

  • you cannot activate hybrid sites w/o activating hybrid OneDrive for Business
  • users need to re-follow migrated sites
  • custom profile properties require additional steps
  • existing mysites content will not be migrated – consider
    • 3-rd party tools or
    • PowerShell(?) or
    • manual “old sync->backup->.stop sync -> new sync -> restore from backup -> sync” for every user




SharePoint <-> Office 365 users synchronization, ADFS and WAP

Azure AD Connect


  • (existing) AD DC
  • (new) DirSync Server, joined to domain (e.g. ds.domain.local), OS = Windows Server 2012 R2
  • domain admin and local admin account
  • Office 365 global admin account


  • add your domain to your Office 365 environment in advance (it takes time)
  • add .net 3.5 and .net 4.5 features to the DirSync server
  • ensure your account is local admin and domain admin and Enterprise Admin
  • go to Office 365 admin center, Settings, Services and Add-Ins, Directory Synchronisation, Start Wizard and follow instructions (start check etc.)




  • (existing) AD DC
  • (new) ADFS Server, joined to domain (e.g. fs.domain.local), OS = Windows Server 2012 R2
  • (new) WAP Server (e.g. wap.domain.local)
  • (create new) account for ADFS (like domain\adfs-svc) and make it local admin on ADFS Server
  • let say our service name is “” ( server name is “fs.domain.local”), then we need to
    enroll a certificate for service name (i.e., not a wildcard

    • Subject name and subject alternative name must contain your federation service name, such as
    • Subject alternative name must contain the value enterpriseregistration followed by the UPN suffix of your organization, such as, for example,enterpriseregistration.domain.local
    • Subject alternative name must contain the value certauth followed by the adfs service name, e.g.
    • set private key as exportable
  • export this certificate (with password)
  • ensure A record in internal DNS for service name (i.e. points to ADFS server (“fs.domain.local”)



  1. create A-record for pointing to fs.domain.local
  2. (login on ADFS Server as adfs-svc), add (install) Active Directory Federation Services role
  3. Configure role
    1. choose “create the first…”
    2. provide domain admin account credentials
    3. choose SSL certificate ( and service name (same name),
      provide FS display name
    4. specify a domain user account (use an existing adfs-svc) and password
    5. create database (or use existing sql)
  4. Check configuration 
    1. go to “https://localhost/adfs/ls/idpinitiatedsignon.htm” (ignore certificate error, and do not login)




  1. Add role “Remote Access”, features by default, choose role services “Web Application Proxy”, add features.
  2. import certificate
  3. Configure role: enter FS name (, provide credentials (domain\adfs-svc)
  4. Create A-record on external DNS for FS name ( pointing to WAP external IP




Based on


Create New Performance Point Service Application failed

Create New Performance Point Service Application failed with “Address(int ) is an invalid or loopback address.  Specify a valid server address.”


$newServiceApplication = New-SPPerformancePointServiceApplication -Name $serviceName -ApplicationPool $applicationPool -DatabaseServer $dbServer -DatabaseName $serviceDB
New-SPPerformancePointServiceApplication : System.Object&, mscorlib, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089 Address(int ) is an invalid or loopback
address.  Specify a valid server address.
At line:1 char:26
+ $newServiceApplication = New-SPPerformancePointServiceApplication -Name $service …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (Microsoft.Perfo…viceApplication:NewSPPerformanc…viceApplication) [New-SPPerformancePointServiceApplication], ArgumentException
    + FullyQualifiedErrorId : Microsoft.PerformancePoint.Scorecards.NewSPPerformancePointMonitoringServiceApplication


Solytion: provide fixed sysadmin sql server role for the account you run script.

SharePoint 2013 Streamlined Architecture

Based on “Streamlined Topologies for SharePoint Server 2013” diagram from Microsoft (“Topology design guidance for maximizing system resources”), 

Simplified for 4-servers high-available 3-tier farms:


Front-End Servers

Service applications, services, and components that serve user requests directly are placed on front-end servers. These servers are optimized for fast performance.

Low and Very low latency.

  • Access
  • BDC
  • Cache
  • MMS
  • Secure Store
  • State 
  • Subscription Settings
  • UPSA
  • User Code
  • Visio
  • Excel Calculation
  • Performance Point
  • Project
  • Search Query
  • Web Application/CA

Batch-Processing Servers

Service applications, services, and components that process background tasks are placed on a middle-tier of servers referred to as batch processing servers. These servers are optimized to maximize system resources. These servers can tolerate greater loads because these tasks do not affect performance observed by user

  • UPSA Sync
  • Workflow Timer Service
  • Machine Translation
  • Word Automation
  • Work Management
  • Search Crawl Target (Web Application)
  • Search Crawl/Analytics
  • PowerPoint conversion 


SharePoint Updates Qiuck Guide

(this article is under development)

It is important to test the update process in a test environment. Test environment must be as much as possible similar to production.


Applying SharePoint updates to a server farm

Safest update method

The safest method to update a SharePoint farm is to take the entire farm offline, update all servers, and then bring the farm back online. This method requires a maintenance window that might not be practical for all organizations.

High availability updating

High availability updating involves more planning, testing, and coordination. The general outline for the process includes the following steps.

Continue reading

SharePoint BC, HA and DR

(the article is under development)…

In short, keeping SharePoint online means designing a fault-tolerant architecture, coding customisations & apps in a well designed and tested manner, and implementing good SharePoint governance. First though, the architecture…


(SharePoint PLA – Product Line Architecture)



Continue reading